Order  Code  RL31787 


CRS  Report  for  Congress 

Received  through  the  CRS  Web 


Information  Operations  and  Cyberwar: 
Capabilities  and  Related  Policy  Issues 


Updated  September  14,  2006 


Clay  Wilson 

Specialist  in  Technology  and  National  Security 
Foreign  Affairs,  Defense,  and  Trade  Division 


Congressional  Research  Service  ❖  The  Library  of  Congress 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

14  SEP  2006 

2.  REPORT  TYPE 

N/A 

3.  DATES  COVERED 

4.  TITLE  AND  SUBTITLE 

5a.  CONTRACT  NUMBER 

Information  Operations  and  Cyberwar:  Capabilities  and  Related  Policy 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROIECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Congressional  Research  Service  The  Library  of  Congress  101 
Independence  Ave  SE  Washington,  DC  20540-7500 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release,  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBIECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF: 

17.  LIMITATION  OF 
ABSTRACT 

SAR 

18.  NUMBER 

OF  PAGES 

17 

19a.  NAME  OF 
RESPONSIBLE  PERSON 

a.  REPORT 

unclassified 

b.  ABSTRACT 

unclassified 

c.  THIS  PAGE 

unclassified 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


Information  Operations  and  Cyberwar: 
Capabilities  and  Related  Policy  Issues 


Summary 

This  report  describes  the  emerging  areas  of  information  operations  in  the 
context  of  U.S.  national  security.  It  assesses  known  U.S.  capabilities  and  plans,  and 
suggests  related  policy  issues  of  potential  interest  to  Congress.  This  report  will  be 
updated  to  accommodate  significant  changes. 

For  military  planners,  the  control  of  information  is  critical  to  military  success, 
and  communications  networks  and  computers  are  of  vital  operational  importance. 
The  use  of  technology  to  both  control  and  disrupt  the  flow  of  information  has  been 
referred  to  by  several  names:  information  warfare,  electronic  warfare,  cyberwar, 
netwar,  and  Information  Operations  (10).  The  U.S.  Department  of  Defense  has 
grouped  10  activities  into  five  core  capabilities:  Psychological  Operations,  Military 
Deception,  Operational  Security,  Computer  Network  Operations,  and  Electronic 
Warfare. 

Doctrine  for  U.S.  10  now  places  new  emphasis  on  Psychological  Operations  to 
influence  the  decisionmaking  of  possible  adversaries,  and  on  Electronic  Warfare  to 
dominate  the  entire  electromagnetic  spectrum.  Some  weapons  used  for  10  are  also 
referred  to  as  “non-kinetic,”  and  include  high  power  microwave  (HPM)  or  other 
directed  electromagnetic  energy  weapons  that  rely  on  short  powerful  electromagnetic 
pulses  (EMP),  that  can  overpower  and  permanently  degrade  computer  circuitry. 

Several  public  policy  issues  that  Congress  may  choose  to  consider  include 
whether  the  United  States  should: 

•  encourage  or  discourage  international  arms  control  for 
cyberweapons,  as  other  nations  increase  their  cyber  capabilities; 

•  modify  U.S.  cyber-crime  legislation  to  conform  to  international 
agreements  that  make  it  easier  to  track  and  find  cyber  attackers; 

•  engage  in  covert  psychological  operations  potentially  affecting 
domestic  audiences;  or, 

•  create  new  regulation  to  hasten  improvements  to  computer  security 
for  the  nation’s  privately-owned  critical  infrastructure. 


Contents 

Introduction  . 1 

Background  . 1 

Definitions . 2 

Information . 2 

DOD  Information  Operations  . 2 

DOD  Information  Operations  Core  Capabilities . 3 

Psychological  Operations  (PSYOP) . 3 

Military  Deception  (MILDEC)  . 4 

Operational  Security  (OPSEC)  . 4 

Computer  Network  Operations  (CNO)  . 4 

Computer  Network  Defense  (CND)  . 4 

Computer  Network  Exploitation  (CNE)  . 5 

Computer  Network  Attack  (CNA) . 5 

Cyberweapons  . 6 

Electronic  Warfare  (EW) . 6 

Domination  of  the  Electromagnetic  Spectrum . 6 

Non- Kinetic  Weapons . 7 

Current  DOD  Command  Structure  for  Information  Operations  . 7 

Policy  Issues . 8 

International  Arms  Control  for  Cyberweapons  . 9 

Council  of  Europe  Convention  on  Cybercrime . 9 

Psychological  Operations  Affecting  Domestic  Audiences  . 12 

Role  of  the  U.S.  Private  Sector  in  Protecting  Computer  Security . 13 

Current  Legislation  . 14 


Information  Operations  and  Cyberwar: 
Capabilities  and  Related  Policy  Issues 


Introduction 


Background 

Control  of  information  has  always  been  part  of  military  operations.  However, 
the  U.S.  Strategic  Command  (USSTRATCOM)  reportedly  now  views  information 
operations  as  a  core  military  competency,  with  new  emphasis  on  (1)  use  of 
electromagnetic  energy  or  cyberattack  to  control  or  disable  an  adversary’ s  computers, 
and  (2)  use  of  psychological  operations  to  manipulate  an  adversary’s  perceptions.1 

The  Department  of  Defense  (DOD)  view  is  that  information  itself  is  now  a 
realm,  a  weapon,  and  a  target  of  warfare.  With  current  digital  technology,  the  U.S. 
military  now  has  the  capability  to  act  directly  upon  and  alter  the  stored  bits  of 
computer  code  that  comprise  information  inside  the  computers  or  on  the  networks 
of  adversaries.  In  addition,  DOD  asserts  that  Psychological  Operations,  including  the 
ability  to  rapidly  disseminate  persuasive  information  to  diverse  audiences  in  order  to 
directly  influence  their  decisionmaking,  is  an  increasingly  powerful  means  of 
deterring  aggression,  and  an  important  method  for  undermining  the  leadership  and 
popular  support  for  terrorist  organizations.2 

However,  new  technologies  for  military  information  operations  also  create  new 
national  security  vulnerabilities  and  new  policy  issues,  including  (1)  possible 
international  arms  control  policy  for  cyberweapons;  (2)  a  need  for  international 
cooperation  for  pursuit  of  cyber  terrorists  and  other  cyber  attackers ;  (3)  consideration 
of  psychological  operations  used  to  affect  friendly  nations;  (4)  a  need  to  raise  the 
computer  security  awareness  of  the  civilian  community;  and  (5)  possible  accusations 
of  war  crimes  if  offensive  military  cyberweapons  severely  disrupt  critical  civilian 
computer  systems,  or  the  systems  of  other  non-combatant  nations. 

This  report  describes  Department  of  Defense  capabilities  for  conducting  military 
information  operations,  and  gives  an  overview  of  related  policy  issues. 


1  Jason  Ma,  “Information  Operations  To  Play  a  Major  Role  in  Deterrence  Postur  eflnside 
Missile  Defense,  Dec.  10, 2003  [http://www.insidedefense.com/secure/defense_docnum.asp? 
f=defense_2002.ask&docnum=MISSILE-9-25-4]. 

2  DOD  Information  Operations  Roadmap,  October  30,  2004,  p.3.  This  document  was 
declassified  January,  2006,  and  obtained  through  FOIA  by  the  National  Security  Archive 
at  George  Washington  University. 
[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf]. 


CRS-2 


Definitions 


Information 

Information  is  a  resource  created  from  two  things:  phenomena  (data)  that  are 
observed,  plus  the  instructions  (systems)  required  to  analyze  and  interpret  the  data 
to  give  it  meaning.  The  value  of  information  is  enhanced  by  technology,  such  as 
networks  and  computer  databases,  which  enables  the  military  to  (1)  create  a  higher 
level  of  shared  awareness,  (2)  better  synchronize  command,  control,  and  intelligence, 
and  (3)  translate  information  superiority  into  combat  power. 

DOD  Information  Operations 

The  DOD  term  for  military  information  warfare  is  Information  Operations  (10). 
DOD  information  operations  are  actions  taken  during  time  of  crisis  or  conflict  to 
affect  adversary  information,  while  defending  one’s  own  information  systems,  to 
achieve  or  promote  specific  objectives.3  The  focus  of  10  is  on  disrupting  or 
influencing  an  adversary’s  decision-making  processes. 

An  10  attack  may  take  many  forms,  for  example:  (1)  to  slow  adversary 
computers,  the  software  may  be  disrupted  by  transmitting  a  virus  or  other 
cyberweapon  (see  section  on  cyberweapons  below);  (2)  to  disable  sophisticated 
adversary  weapons,  the  computer  circuitry  may  be  overheated  with  directed  high 
energy  pulses;  and  (3)  to  misdirect  enemy  radar,  powerful  signals  may  be  broadcast 
to  create  false  images.  Other  methods  for  10  attack  may  include  initiating  TV  and 
radio  broadcasts  to  influence  the  opinions  and  actions  of  a  target  audience,  or  seizing 
control  of  network  communications  to  disrupt  an  adversary’s  unity  of  command. 

Computer  Network  Defense  (CND)  is  the  term  used  to  describe  10  procedures 
that  are  designed  to  protect  U.S.  forces  against  10  attack  from  adversaries. 
Information  Assurance  (IA),  which  is  part  of  CND,  requires  close  attention  to 
procedures  for  computer  and  information  security  (see  Computer  Network 
Operations  below). 

DOD  states  that  10  must  become  a  core  military  competency  on  a  par  with  air, 
ground,  maritime,  and  special  operations.  Accordingly,  new  emphasis  is  now  placed 
on  the  importance  of  dominating  the  entire  electromagnetic  spectrum  with  new  attack 
capabilities,  including  methods  for  computer  network  attack  and  electronic  warfare. 
DOD  also  emphasizes  that  because  networks  are  increasingly  the  operational  center 
of  gravity  for  warfighting,  the  U.S.  military  must  be  prepared  to  “fight  the  net”.4 
Because  the  recently  declassified  source  document  containing  this  phrase  has  some 
lines  blacked  out,  it  is  not  clear  if  “...net”  includes  the  Internet.  If  so,  then  this  phrase 
may  be  a  recognition  by  DOD  that  Psychological  Operations,  including  public  affairs 


3  From  the  DOD  Dictionary  of  Military  and  Associated  Terms,  Jan.  2003  [http://www.dtic. 
mil/doc  trine/jel/doddict/data/i/index.html]. 

4  DOD  Information  Operations  Roadmap,  October  30,  2003,  p.6-7. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 


CRS-3 


work  and  public  diplomacy,  must  be  employed  in  new  ways  to  counter  the  skillful 
use  of  the  Internet  and  the  global  news  media  by  adversaries. 


DOD  Information  Operations  Core  Capabilities 

DOD  identifies  five  core  capabilities  for  conduct  of  information  operations:  (1) 
Psychological  Operations,  (2)  Military  Deception,  (3)  Operations  Security,  (4) 
Computer  Network  Operations,  and  (5)  Electronic  Warfare.  These  capabilities  are 
interdependent,  and  increasingly  need  to  be  integrated  to  achieve  desired  effects,  such 
as  undermining  the  adversary’s  confidence  in  his  own  capabilities. 

Psychological  Operations  (PSYOP) 

DOD  defines  PSYOP  as  planned  operations  to  convey  selected  information  to 
targeted  foreign  audiences  to  influence  their  emotions,  motives,  objective  reasoning, 
and  ultimately  the  behavior  of  foreign  governments,  organizations,  groups,  and 
individuals.5  For  example,  during  Operation  Iraqi  Freedom  (OIF),  broadcast 
messages  were  sent  from  Air  Force  EC-  130E  aircraft,  and  from  Navy  ships  operating 
in  the  Persian  Gulf,  along  with  a  barrage  of  e-mail,  faxes,  and  cell  phone  calls  to 
numerous  Iraqi  leaders  encouraging  them  to  abandon  support  for  Saddam  Hussein. 

At  the  same  time,  the  civilian  A1  Jazeera  news  network,  based  in  Qatar,  beams 
its  messages  to  well  over  35  million  viewers  in  the  Middle  East,  and  is  considered 
by  many  to  be  a  “market  competitor”  for  U.S .  PS  Y OP.  Terrorist  groups  can  also  use 
the  Internet  to  quickly  place  their  own  messages  before  an  international  audience. 
Some  observers  have  stated  that  the  U.S.  will  continue  to  lose  ground  in  the  global 
media  wars  until  it  develops  a  coordinated  strategic  communications  strategy  to 
counter  competitive  civilian  news  media,  such  as  A1  Jazeera.6 

Partly  in  response  to  this  observation,  DOD  now  emphasizes  that  PSYOP  must 
be  improved  and  focused  against  potential  adversary  decisionmaking,  sometimes 
well  in  advance  of  times  of  conflict.  Products  created  for  PSYOP  must  be  based  on 
in-depth  knowledge  of  the  audience’s  decision-making  processes.  Using  this 
knowledge,  the  PSYOP  products  then  must  be  produced  rapidly,  and  disseminated 
directly  to  targeted  audiences  throughout  the  area  of  operations.7 

DOD  policy  restricts  the  use  of  PSYOP  for  targeting  American  audiences. 
However,  while  military  PSYOP  products  are  intended  for  foreign  targeted 
audiences,  DOD  also  acknowledges  that  the  global  media  may  pick  up  some  of  these 


5  DOD  Dictionary  of  Military  Terms  [http://www.dtic.mil/doctrine/jel/doddict/]. 

6  Air  Force,  Operation  Iraqi  Freedom  Information  Operations  Lessons  Learned:  First  Look , 

AFC2ISRC/CX,  July  23,  2003  [http://www.insidedefense.com/secure/data_extra/ 

pdf3/dplus2004_265  .pdf] . 

DOD  Information  Operations  Roadmap,  October  30,  2003,  p.6. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 


CRS-4 


targeted  messages,  and  replay  them  back  to  the  U.S.  domestic  audience.  Therefore, 
the  distinction  between  foreign  and  domestic  audiences  cannot  be  maintained.8 

Military  Deception  (MILDEC) 

Deception  guides  an  enemy  into  making  mistakes  by  presenting  false 
information,  images,  or  statements.  MILDEC  is  defined  as  actions  executed  to 
deliberately  mislead  adversary  military  decision  makers  with  regard  to  friendly 
military  capabilities,  thereby  causing  the  adversary  to  take  specific  actions  (or  fail  to 
take)  that  will  contribute  to  the  success  of  the  friendly  military  operation. 

As  an  example  of  deception  during  OIF,  the  U.S.  Navy  deployed  the  Tactical 
Air  Launched  Decoy  system  to  divert  fire  from  Iraqi  air  defenses  away  from  other 
real  combat  aircraft. 

Operational  Security  (OPSEC) 

OPSEC  is  defined  as  a  process  of  identifying  information  that  is  critical  to 
friendly  operations  and  which  could  enable  adversaries  to  attack  operational 
vulnerabilities.  For  example,  during  OIF,  U.S.  forces  were  warned  to  remove  certain 
information  from  DOD  public  websites,  so  that  Iraqi  forces  could  not  exploit 
sensitive  but  unclassified  information. 

Computer  Network  Operations  (CNO) 

CNO  includes  the  capability  to:  (1)  attack  and  disrupt  enemy  computer 
networks;  (2)  defend  our  own  military  information  systems;  and  (3)  exploit  enemy 
computer  networks  through  intelligence  collection.9  Reportedly,  a  new  U.S .  military 
organization,  called  the  Joint  Functional  Component  Command  for  Network  Warfare 
(JFCCNW),  is  responsible  for  the  evolving  mission  of  Computer  Network  Attack. 
The  capabilities  of  the  JFCCNW  are  highly  classified,  and  DOD  officials  have 
reportedly  never  admitted  to  launching  a  cyber  attack  against  an  enemy,  however 
many  computer  security  officials  believe  the  organization  can  destroy  networks  and 
penetrate  enemy  computers  to  steal  or  manipulate  data,  and  take  down  enemy 
command-and-control  systems.  They  also  believe  that  the  organization  consists  of 
personnel  from  the  CIA,  National  Security  Agency,  FBI,  the  four  military  branches, 
and  civilians  and  military  representatives  from  allied  nations.10 

Computer  Network  Defense  (CND).  CND  is  defined  as  defensive 
measures  to  protect  information,  computers,  and  networks  from  disruption  or 
destruction.  CND  includes  actions  taken  to  monitor,  detect,  and  respond  to 
unauthorized  computer  activity.  Responses  to  10  attack  against  U.S.  forces  may 


DOD  Information  Operations  Roadmap,  October  30,  2003,  p.26. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 

9  US  Strategic  Command  Fact  File  [http://www.stratcom.af.mil/factsheetshtml/jtf-cno.htm]. 

10  John  Lasker,  U.S.  Military’s  Elite  Hacker  Crew,  April  18,  2005,  Wired  News, 
[http://www.wired.eom/news/privacy/0, 67223-0.html?tw=wn_story_page_prev2], 


CRS-5 


include  use  of  passive  information  assurance  tools,  such  as  firewalls  or  data 
encryption,  or  may  include  actions  such  as  monitoring  adversary  computers  to 
determine  their  capabilities  before  they  attempt  an  10  attack  against  U.S.  forces. 

DOD  believes  that  CND  may  lack  sufficient  policy  and  legal  analysis  for 
guiding  appropriate  responses  to  intrusions  or  attacks  on  DOD  networks.  Therefore, 
DOD  has  recommended  that  a  legal  review  be  conducted  to  determine  what  level  of 
data  manipulation  constitutes  an  attack.  The  distinction  is  necessary  in  order  to 
clarify  whether  an  action  should  be  called  an  attack  or  an  intelligence  collection 
operation,  and  which  aggressive  actions  can  be  appropriately  taken  in  self-defense. 
This  legal  review  should  also  determine  if  appropriate  authorities  permit  U.S.  forces 
to  retaliate  through  unwitting  computer  hosts.  And  finally,  DOD  has  recommended 
structuring  a  legal  regime  that  applies  separately  to  domestic  and  to  foreign  sources 
of  CNA  against  DOD  or  the  U.S.  infrastructure." 

Computer  Network  Exploitation  (CNE).  CNE  is  an  area  of  Information 
Operations  that  is  not  yet  clearly  defined  within  DOD.  Before  a  crisis  develops, 
DOD  seeks  to  prepare  the  10  battlespace  through  intelligence,  surveillance,  and 
reconnaissance,  and  through  extensive  planning  activities.  This  involves  espionage, 
that  in  the  case  of  10,  is  usually  performed  through  network  tools  that  penetrate 
adversary  systems  to  return  information  about  system  vulnerabilities,  or  that  make 
unauthorized  copies  of  important  files.  Tools  used  for  CNE  are  similar  to  those  used 
for  CNA,  but  configured  for  intelligence  collection  rather  than  system  dismption. 

Computer  Network  Attack  (CNA).  CNA  is  defined  as  operations  to  disrupt 
or  destroy  information  resident  in  computers  and  computer  networks.  As  a 
distinguishing  feature,  CNA  relies  on  a  data  stream  used  as  a  weapon  to  execute  an 
attack.  For  example,  sending  a  digital  signal  stream  through  a  network  to  instruct  a 
controller  to  shut  off  the  power  flow  is  CNA,  while  sending  a  high  voltage  surge 
through  the  electrical  power  cable  to  short  out  the  power  supply  is  Electronic 
Warfare. 

During  Operation  Iraqi  Freedom,  U.S.  and  coalition  forces  reportedly  did  not 
carry  out  computer  network  attacks  against  Iraqi  systems.  Even  though 
comprehensive  10  plans  were  prepared  in  advance,  several  DOD  officials  reportedly 
stated  that  top-level  approval  for  several  computer  attack  missions  was  not  granted 
until  it  was  too  late  to  carry  them  out  to  achieve  war  objectives.12  U.S.  officials 
reportedly  may  have  rejected  launching  a  planned  cyber  attack  against  Iraqi  financial 
computers  because  Iraq’s  banking  network  is  connected  to  a  financial 
communications  network  located  in  Europe.  According  to  Pentagon  sources,  an  10 
attack  directed  at  Iraq  might  also  have  brought  down  banks  and  ATM  machines 
located  in  parts  of  Europe  as  well.  Such  global  network  interconnections,  plus  close 
network  links  between  Iraqi  military  computer  systems  and  the  civilian  infrastructure, 


DOD  Information  Operations  Roadmap,  October  30,  2003,  p52. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 

12  Elaine  Grossman,  “Officials:  Space,  Info  Targets  Largely  Cobbled  On-The-Fly  for  Iraq,” 
Inside  the  Pentagon ,  May  29,  2003. 


CRS-6 


reportedly  frustrated  attempts  by  U.S.  forces  to  design  a  cyber  attack  that  would  be 
limited  to  military  targets  only  in  Iraq.13 

Cyberweapons.  Cyberweapons  are  computer  programs  capable  of  disrupting 
the  data  storage  or  processing  logic  of  enemy  computers.  Cyberweapons  include  (1) 
offensive  attack  tools,  such  as  viruses,  Trojan  horses,  denial-of-service  attack  tools; 
(2)  “dual  use”  tools,  such  as  port  vulnerability  scanners,  and  network  monitoring 
tools;  and,  (3)  defensive  tools,  such  as  encryption  and  firewalls. 

Cyberweapons  are  becoming  easier  to  obtain,  easier  to  use,  and  more  powerful. 
In  a  1999  study,  the  National  Institute  of  Standards  and  Technology  (NIST)  found 
that  many  newer  attack  tools,  available  on  the  Internet,  can  now  easily  penetrate  most 
networks,  and  many  others  are  effective  in  penetrating  firewalls  and  attacking 
Internet  routers.  Other  tools  allow  attacks  to  be  launched  by  simply  typing  the 
Internet  address  of  a  designated  target  directly  into  the  attack-enabling  website.14 

In  a  meeting  held  in  January  2003,  at  the  Massachusetts  Institute  of  Technology, 
White  House  officials  sought  input  from  experts  outside  government  on  guidelines 
for  use  of  cyberweapons.  Officials  have  stated  they  are  proceeding  cautiously,  since 
a  cyberattack  could  have  serious  cascading  effects,  perhaps  causing  major  disruption 
to  networked  civilian  systems.15 

In  February  2003,  the  Bush  Administration  announced  developed  national-level 
guidance  for  determining  when  and  how  the  United  States  would  launch  computer 
network  attacks  against  foreign  adversary  computer  systems.  The  classified 
guidance,  known  as  National  Security  Presidential  Directive  16  (classified),  is 
intended  to  clarify  circumstances  under  which  an  attack  would  be  justified,  and  who 
has  authority  to  launch  a  computer  attack. 

Electronic  Warfare  (EW) 

EW  is  defined  as  any  military  action  involving  the  direction  or  control  of 
electromagnetic  spectrum  energy  to  deceive  or  attack  the  enemy.  High  power 
electromagnetic  energy  can  be  used  as  a  tool  to  overload  or  disrupt  the  circuitry  of 
electronic  equipment,  such  as  computers,  radios,  telephones,  and  almost  anything  that 
uses  transistors,  circuits,  and  wiring.16 

Domination  of  the  Electromagnetic  Spectrum.  Electronic  Warfare  tools 
include  weapons  for  jamming  or  overpowering  enemy  communications  and 


13  Charles  Smith,  “U.S.  Information  Warriors  Wrestle  with  New  Weapons,”  NewsMax.com, 
March  13,  2003  [http://www.newsmax.eom/archives/articles/2003/3/12/134712.shtml], 

14  Dorothy  Denning,  “Reflections  on  Cyberweapons  Controls,”  Computer  Security  Journal, 
XVI,  4,  Fall,  2000,  p.43-53. 

15  Bradley  Graham,  “Bush  Orders  Guidelines  for  Cyber-Warfare,”  Washington  Post, 
February  7,  2003,  Section  A,  p.l. 

16  CRS  Report  RL32544,  High  Altitude  Electromagnetic  Pulse  ( EMP )  and  High  Power 
Microwave  (HPM)  Devices:  Threat  Assessments,  by  Clay  Wilson. 


CRS-7 


telemetry,  and  weapons  that  overheat  circuitry.  DOD  now  emphasizes  maximum 
control  of  the  entire  electromagnetic  spectrum,  including  disrupting  the  full  spectrum 
of  emerging  communication  systems,  sensors,  and  weapons  systems.  This  may 
include  (1)  navigation  warfare,  including  offensive  space  operations  where  global 
positioning  satellites  may  be  disrupted;  or,  (2)  methods  to  control  adversary  radio 
systems  that  help  them  identify  friend  and  foe;  and,  (3)  methods  to  disrupt  radar 
systems,  directed  energy  weapons,  unmanned  aerial  vehicles  (UAVs),  or  robots 
operated  by  adversaries.17 

Recent  military  10  testing  examined  the  capability  to  secretly  enter  an  enemy 
computer  network  and  monitor  what  their  radar  systems  could  detect.  Further 
experiments  tested  the  capability  to  take  over  enemy  computers  and  manipulate  their 
radar  to  show  false  images.18 

Non-Kinetic  Weapons.  “Non-kinetic”  is  a  term  that  is  sometimes  used  to 
describe  non-explosive  weapons  with  capabilities  for  disabling  enemy  computer 
systems.  These  weapons  emit  directed  electromagnetic  energy  that,  in  short  pulses, 
may  disable  computer  circuitry,  or  in  other  applications.  For  example,  a  non-kinetic 
weapon  might  disable  an  approaching  enemy  missile  by  directing  a  High  Power 
Microwave  (HPM)  beam  that  burns  out  the  circuitry,  or  by  sending  a  false  telemetry 
signal  that  misdirects  the  targeting  computer.19 

During  OIF,  many  Iraqi  command  bunkers  were  deeply  buried  underground  and 
proved  difficult  to  attack  using  conventional  explosives.  However,  new  HPM 
weapons  were  reportedly  considered  for  possible  use  in  attacks  against  these  targets 
because  the  numerous  communications  and  power  lines  leading  into  the  underground 
bunkers  offered  pathways  for  conducting  powerful  surges  of  electromagnetic  energy 
that  could  destroy  the  computer  equipment  inside.20 


Current  DOD  Command  Structure  for  Information 

Operations 

The  U.S.  Strategic  Command  (USSTRATCOM),  a  unified  combatant  command 
for  U.S.  strategic  forces,  controls  military  space  operations,  information  operations, 
strategic  warning  and  intelligence  assessments,  global  strategic  operations  planning, 


17  DOD  Information  Operations  Roadmap,  October  30,  2003,  p.61. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 

18  These  programs  were  called  Suter  1  and  Suter  2,  and  were  tested  during  Joint 
Expeditionary  Forces  Experiments  held  at  Nellis  Air  Force  Base  in  2000  and  2002.  David 
Fulghum,  “Sneak  Attack,”  Aviation  Week  &  Space  Technology,  June  28,  2004,  p.  34. 

19  David  Fulghum,  “Sneak  Attack,”  Aviation  Week  &  Space  Technology,  June  28,  2004, 
p.34. 

20  Will  Dunham,  “U.S.  May  Debut  Secret  Microwave  Weapon  versus  Iraq,”  Reuters, 
February  2,  2003  [http://www.globalsecurity.org/org/news/2003/030202-ebomb01.htm]. 


CRS-8 


and  also  has  overall  responsibility  for  Computer  Network  Operations  (CNO).21 
Much  information  about  CNO,  which  includes  defense  against  cyber  attack  and 
security  breaches,  as  well  as  the  related  area  of  offensive  computer  network  attack, 
is  classified. 

The  USSTRATCOM  exercises  command  authority  over  several  Joint  Functional 
Component  Commands  (JFCCs):  (1)  space  and  global  strike;  (2)  intelligence, 
surveillance  and  reconnaissance;  (3)  network  warfare;  integrated  missile  defense;  and 
(4)  combating  weapons  of  mass  destruction.22  The  JFCCs  with  responsibility  for 
DOD  cyber  security  are  the  JFCC-Network  Warfare  (JFCC-NW),  and  the  JFCC- 
Space  &  Global  Strike  (JFCC-SGS)  which  also  houses  the  Joint  information 
Operations  Warfare  Center  (JIOWC).  A  third  organization  called  the  Joint  Task 
Force-Global  Network  Operations  (JTF-GNO),  also  has  responsibility  for  DOD  cyber 
security.  The  DOD  organizations  with  major  responsibility  for  defense  against  cyber 
attack  are  the  JIOWC  and  the  JTF-GNO.23 

The  JTF-GNO  is  the  organization  responsible  for  operating  and  defending  the 
DOD  information  infrastructure  (the  infrastructure  is  called  the  Global  Information 
Grid).  The  JFCC-NW  is  responsible  for  deliberate  planning  of  network  warfare, 
which  includes  coordinated  planning  of  offensive  network  attack.  The  JIOWC  is 
responsible  for  assisting  combatant  commands  with  an  integrated  approach  to 
information  operations.  These  include  operations  security,  psychological  operations, 
military  deception,  and  electronic  warfare.  It  coordinates  network  operations  and 
network  warfare  with  the  JTF-GNO  and  with  JFCC-NW. 


Policy  Issues 

Potential  oversight  issues  for  Congress  may  include  the  following: 

•  Effects  of  international  arms  control  for  cyberweapons; 

•  Need  for  international  cooperation  for  pursuit  of  cyber  terrorists  and 
other  cyber  attackers; 

•  Use  of  psychological  operations  that  may  affect  domestic  audiences , 
and; 


21  United  States  Strategic  Command,  July  2006, 

[http  ://www .  stratcom.  mil/or  ganization-fnc_comp  .html] . 

22  United  States  Strategic  Command,  July  2006, 

[http  ://www .  stratcom.  mil/or  ganization-fnc_comp  .html] . 

23  Clark  A.  Murdock  et.  al,  Beyond  Goldwater-Nichols:  U.S.  Government  and  Defense 

Reform  for  a  New  Strategic  Era,  Phase  2  Report,  July  2005, Center  for  Strategic  and 
International  Studies,  p.128,  [http://www.ndu.edu/library/docs/ 

BeyondGoldwaterNicholsPhase2Report.pdf]. 


CRS-9 


•  Need  to  raise  the  computer  security  awareness  of  the  U.S.  private 
sector  and  civilian  population  to  better  protect  national  security. 

International  Arms  Control  for  Cyberweapons 

Should  the  United  States  adopt  a  position  to  encourage  or  discourage 
international  controls  for  weapons  in  cyberspace,  especially  as  other  nations,  such  as 
Iran,  China,  and  Russia  increase  their  cyber  capabilities?  Attacks  against  information 
systems  using  computer  viruses  could  be  considered  an  act  of  war  within  the  scope 
of  the  laws  of  armed  conflict,  and  some  international  organizations  are  now 
attempting  to  classify  and  control  malicious  computer  code  In  1998  and  1999, 
Russia  proposed  that  the  First  Committee  of  the  United  Nations  explore  an 
international  agreement  on  the  need  for  arms  controls  for  information  warfare 
weapons.  The  G-8  Government-Industry  Conference  on  High  Tech  Crime  in  2002 
also  sought  international  agreement  on  ways  to  classify  and  control  malicious 
computer  code. 24 

DOD  has  not  yet  developed  a  policy  regarding  international  controls  for 
cyberweapons,  however,  the  United  States  remains  concerned  about  future 
capabilities  for  foreign  nations  to  develop  their  own  effective  capabilities  for 
computer  espionage  and  computer  network  attack.25  For  example,  the  Chinese 
military  is  enhancing  its  information  operations  capabilities,  according  to  the  Defense 
Department’s  annual  report  to  Congress  on  China’s  military  prowess.26  The  report 
finds  that  China  is  placing  specific  emphasis  on  the  ability  to  perform  information 
operations  designed  to  weaken  an  enemy  force’s  command  and  control  systems.27 

Council  of  Europe  Convention  on  Cybercrime 

Military  officials  have  reportedly  stated  that  other  nations,  rather  than  terrorist 
groups,  pose  the  biggest  threat  to  U.S.  computer  networks.28  However,  the  intent  of 
a  cyberattack  directed  against  U.S.  computer  systems,  as  well  as  the  identity  of  the 


24  The  G-8  included  France,  Germany,  Japan,  United  Kingdom.,  United  States,  Italy, 
Canada,  and  Russia.  Denning,  “Reflections  on  Cyberweapons  Controls,”  Computer 
Security  Journal,  XVI,  4,  Fall,  2000,  p.  43-53.  Andrew  Rathmell,  “Controlling  Computer 
and  Network  Operations,”  Information  and  Security,  vol.  7,  2001,  pp.  121-144. 

25  A  US  Air  Force-sponsored  workshop  held  in  March  2000  concluded  that  international 
efforts  to  tackle  cybercrime  and  cyberterrorism  “could  hinder  US  information  warfare 
capabilities,  thus  requiring  new  investments  or  new  research  and  development  to  maintain 
capabilities.”  USAF  Directorate  for  Nuclear  and  Counter  proliferation  and  Chemical  and 
Biological  Arms  Control  Institute,  Cyberwarfare:  What  Role  for  Anns  Control  and 
International  Negotiations?  (Washington,  D.C.,  March  20,  2000). 

26  See  the  FY2004  Report  to  Congress  on  PRC  Military  Power,  [http://www.defenselink. 
mil/pubs/d20040528PRC.pdf] . 

27  John  Bennett,  “Commission:  U.S.  Should  Push  Beijing  to  up  Pressure  on  North  Korea,” 
Inside  the  Pentagon,  June  17,  2004. 

28  Mickey  McCarter,  “Computer  Offensive,”  Military  Information  Technology,  November 
15,  2002  [http://www.mit-kmi.com/print_article. cfm?DocID=51]  . 


CRS-10 


attacker,  may  be  hard  to  determine.  To  pursue  their  10  objectives,  some  countries 
could  rely  on  individual  hackers  who  cannot  be  easily  linked  to  a  government.  Also, 
what  are  the  diplomatic  and  foreign  policy  implications  that  could  result  from  the 
United  States  remotely,  and  with  no  advance  notice,  conducting  computer 
surveillance  that  may  intrude  into  the  sovereignty  of  another  nation? 

An  emerging  issue  is  the  degree  to  which  the  United  States  should  pursue 
international  agreements  to  harmonize  cyber-crime  legislation,  and  also  deter  cyber¬ 
crime  through  tougher  criminal  penalties.  Pursuit  to  identify  the  source  of  a  cyber 
attack  often  involves  a  trace  back  through  networks  that  may  require  the  cooperation 
of  Internet  service  providers  in  different  nations.  The  technical  problems  of  pursuit 
and  detection  are  more  difficult  if  one  or  more  of  the  nations  involved  has  a  legal 
policy  that  conflicts  with  that  of  the  United  States.29 

The  U.S.  Senate  voted  on  August  3,  2006  to  ratify  the  Council  of  Europe 
Convention  on  Cybercrime.3"  The  United  States,  acting  as  an  observer  at  the  Council 
of  Europe,  participated  actively  in  the  development  of  the  Convention,  which  is  the 
only  multilateral  treaty  to  address  the  problems  of  computer-related  crime  and 
electronic  evidence  gathering.  The  Administration  has  stated  that  the  treaty  will  help 
deny  a  safe  haven  to  criminals  and  terrorists  who  can  cause  damage  to  U.S.  interests 
from  abroad  using  computer  systems.31 

The  treaty  requires  participating  nations  to  update  their  laws  to  reflect  computer 
crimes  such  as  unauthorized  intrusions  into  networks,  the  release  of  worms  and 
viruses,  and  copyright  infringement,  however,  the  United  States  will  comply  with  the 
Convention  based  on  existing  U.S .  federal  law;  and  no  new  implementing  legislation 
will  be  required.32  Among  several  reservations  included  in  the  U.S .  Senate  resolution 


29  In  Argentina,  a  group  calling  themselves  the  X-Team,  hacked  into  the  website  of  the 
Supreme  Court  of  Argentina  in  April  2002.  The  trial  judge  stated  that  the  law  in  his  country 
covers  crime  against  people,  things  and  animals  but  not  websites.  The  group  on  trial  was 
declared  not  guilty  of  breaking  into  the  website.  Paul  Hillbeck,  “Argentine  Judge  Rules  in 
Favor  of  Computer  Hackers,”  February  5,  2002  [http://www.siliconvalley.com/mld/ 
siliconvalley/news/editorial/3070 1 94.htm] . 

30  Carolee  Walker,  U.S.  Senate  Votes  To  Ratify  Cybercrime  Convention,  USINFO,  August 

7,  2006,  [http://usinfo. state. gov/xarchives/display.html?p=washfile-english&y= 

2006&m=August&x=20060807 13322  lbcreklawO.5304834]. 

31  Declan  McCullagh,  “Bush  Pushes  for  Cybercrime  Treaty,”  CnetNews.com,  November  18, 

2003,  [http://news.com.com/2102-1028_3-5 108854.html?tag=st.util.print].  U.S.  Department 
of  State,  Bush  Asks  Senate  Approval  to  Ratify  Convention  on  Cybercrime,  Bureau  of 
International  Information  Programs,  November  17,  2003, 

[http://usinfo.state.gov/xarchives/display.html?p=washfile-english&y=2003&m=Novem 
ber&x=2003 1 1 17190405rennefl0.4209101&t=usinfo/wf-latest.html]. 

32  Statement  of  Attorney  General  Alberto  R.  Gonzales  on  the  Passage  of  the  Cybercrime 

Convention,  U.S.  Department  of  Justice  Press  Release,  August  4,  2006, 

[http://www.usdoj.gov/opa/pr/2006/August/06_ag_499.html],  See  also,  CRS  Report 
RS21208,  Cybercrime:  The  Council  of  Europe  Convention,  by  Kristin  Archick.  Forty-six 
European  Countries  belong  to  the  Council  of  Europe,  which  was  founded  in  1949.  The 
United  States,  Japan,  Canada,  Mexico,  and  the  Holy  See  (Vatican  City)  are  granted  observer 
status.  The  thirty  eight  Council  of  Europe  member  state  signatories  are  Albania,  Armenia, 


CRS-11 


of  ratification,  the  United  States  reserves  the  right  not  to  apply  Article  6  of  the  treaty 
(this  section  discusses  “Misuse  of  Devices”)  to  devices  that  are  designed  for  the 
purpose  of  committing  offenses  such  as  “Data  interference”  and  “System 
interference”.33 

The  treaty  reportedly  expands  police  search  powers  in  some  areas  without 
corresponding  privacy  or  due  process  protections,  and  requires  police  in  participating 
nations  to  cooperate  with  police  in  other  countries,  including  arrangements  for 
mutual  assistance  and  extradition  among  participating  nations.34  While  some 
observers  say  that  international  cooperation  is  important  for  defending  against  cyber 
attacks  and  improving  global  cybersecurity,  others  point  out  that  the  treaty  also 
contains  a  questionable  Additional  Protocol37  that  would  require  nations  to  imprison 
anyone  guilty  of  “insulting  publicly,  through  a  computer  system”  certain  groups  of 
people  based  on  characteristics  such  as  race  or  ethnic  origin.  The  U.S.  delegation 
to  the  Council  of  Europe  has  reportedly  argued  that  such  an  addition  would  violate 
of  the  First  Amendment’s  guarantee  of  freedom  of  expression.36  The  Electronic 
Privacy  Information  Center  has  also  objected  to  the  additional  protocol,  saying  that 
it  would  “would  create  invasive  investigative  techniques  while  failing  to  provide 
meaningful  privacy  and  civil  liberties  safeguards.”37 

The  Convention  on  Cybercrime  became  effective  initially  for  the  first  five 
ratifying  nations  on  July  1,  2004.  The  Additional  Protocol,  which  has  not  been 


Austria,  Belgium,  Bosnia-Herzegovina,  Bulgaria,  Croatia,  Cyprus,  Czech  Republic, 
Denmark,  Estonia,  Finland,  France,  Germany,  Greece,  Hungary,  Iceland,  Ireland,  Italy, 
Fatvia,  Fithuania,  Fuxembourg,  Malta,  Moldova,  Netherlands,  Norway,  Poland,  Portugal, 
Romania,  Serbia  and  Montenegro,  Slovakia,  Slovenia,  Spain,  Sweden,  Switzerland,  the 
Former  Yugoslav  Republic  of  Macedonia,  Ukraine,  and  the  United  Kingdom.  In  addition 
to  the  United  States,  the  convention  has  been  ratified  by  1 1  other  nations. 

33  Congressional  Record,  Council  of  Europe  Convention  on  Cybercrime,  Government 

Printing  Office,  August  3,  2006,  p.S8901.  Observers  have  stated  that  the  discussion  of 
“Illegal  Devices”  set  out  in  Articles  6  of  the  convention  may  lack  sufficient  specificity  to 
ensure  that  it  will  not  become  a  basis  to  investigate  individuals  engaged  in  computer-related 
activity  that  is  completely  lawful,  and  may  also  discourage  the  development  of  new  security 
tools  and  give  government  an  improper  role  in  policing  scientific  innovation.  See  Global 
Internet  Fiberty  Campaign,  October  18,  2000, 

[http  ://www  .gilc .  org/privacy/coe -letter- 1 000.  html] . 

34  Barry  Steinhardt,  Three  cheers  for  international  cooperation,  Eurozine,  October  25, 
2005,  [http://www.eurozine.com/articles/2005-10-25-steinhardt-en.html]. 

35  Council  of  Europe,  Additional  Protocol  to  the  Convention  on  Cybercrime  Concerning  the 
Criminalisation  of  Acts  of  a  Racist  and  Xenophobic  Nature  Committed  Through  Computer 
Systems,  November  2002,  [http://www.cybercrime.gov/coehatespeechProtocol.pdf]. 

36  Council  of  Europe,  Explanatory  Report  for  the  Additional  Protocol  to  the  Convention  on 
Cybercrime,  paragraph  4,  [http://conventions.coe.int/Treaty/en/Reports/Html/189.htm], 

37  Declan  McCullagh,  “Senate  Debates  Cybercrime  Treaty,”  CnetNews.com,  June  18, 2004, 
[http://news.eom.eom/2 102- 1028_3-5238865.html?tag=st.util.print]  . 


CRS-12 


signed  by  the  United  States,  became  effective  for  the  first  five  ratifying  nations  on 
March  1,  2006.38 

Psychological  Operations  Affecting  Domestic  Audiences 

Some  observers  have  stated  that  success  in  future  conflicts  will  depend  less  on 
the  will  of  governments,  and  more  on  the  perceptions  of  populations,  and  that 
perception  control  will  be  achieved  and  opinions  shaped  by  the  warring  group  that 
best  exploits  the  global  media.39 

Executive  Order  13283,  signed  by  President  George  W.  Bush  on  January  21, 
2003,  established  within  the  White  house  the  Office  of  Global  Communications 
(OGC).40  That  office  is  currently  studying  ways  to  reach  Muslim  audiences  directly 
through  radio  and  TV,  to  counter  anti-American  sentiments.41 

However,  an  emerging  issue  may  be  whether  the  Department  of  Defense  is 
legislatively  authorized  to  engage  in  PSYOP  that  may  also  affect  domestic 
audiences.42  DOD  Joint  Publication  3-13,  released  February  2006,  provides  current 
doctrine  for  U.S.  military  Information  Operations.  However,  the  DOD  Information 
Operations  Roadmap,  published  October  2003,  states  that  PSYOP  messages  intended 
for  foreign  audiences  increasingly  are  consumed  by  the  U.S.  domestic  audience, 
usually  because  they  can  be  rebroadcast  through  the  global  media.  The  DOD 
document  states  that,  “...the  distinction  between  foreign  and  domestic  audiences 
becomes  more  a  question  of  USG  (U.S.  Government)  intent  rather  than  information 
dissemination  practices  (by  DOD).”43  This  may  be  interpreted  to  mean  that  DOD  has 
no  control  over  who  consumes  PSYOP  messages  once  they  are  retransmitted  by 
commercial  media. 


38  As  of  December  2005, 29  members  of  the  Council  plus  the  United  States,  Canada,  Japan, 
Montenegro,  and  South  Africa  have  signed  the  additional  Protocol,  and  eleven  signatories 
have  ratified  it.  See  Council  of  Europe  Convention  on  Cybercrime,  December  2005, 
[http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=12/0 
7/2005&CL=ENG],  Council  of  Europe  Additional  Protocol  the  the  Convention  on 
Cybercrime,  December  2005,  [http://conventions.coe.int/Treaty/Commun/ChercheSig.asp? 
NT=189&amp;amp;amp;amp;CM=8&DF=12/07/2005&CL=EN]. 

39  Maj .  Gen.  Robert  Scales  (Ret),  Clausewitz  and  World  War  IV,  Armed  Forces  Journal,  July 
2006,  p.  19. 

40  “Presidential  Documents,  Title  3  -  The  President  -  Establishing  the  Office  of  Global 
Communications,”  Federal  Register,  Vol.  68,  no.  16,  Jan.  24,  2003. 

41  OGC  has  been  up  and  running  since  July  2002,  working  to  get  the  Administration’s 
message  out  to  foreign  news  media  outlets.  Tucker  Eskew  stated  that,  “(The  President) 
knows  that  we  need  to  communicate  our  policies  and  values  to  the  world  with  greater  clarity 
and  through  dialogue  with  emerging  voices  around  the  globe.”  Scott  Lindlaw,  “New  Office 
Aims  to  Bolster  U.S.  Image,”  AP  Online,  Feb.  11,  2003. 

42  Psychological  Operations  are  authorized  for  the  military  under  Title  10,  USC,  Subtitle  A, 
Part  I,  Chapter  6,  Section  167. 

43  DOD  Information  Operations  Roadmap,  October  30,  2003,  p.26. 

[http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB177/info_ops_roadmap.pdf] 


CRS-13 


In  addition,  observers  have  stated  that  terrorists,  through  use  of  the  Internet,  are 
now  challenging  the  monopoly  over  mass  communications  that  both  state-owned  and 
commercial  media  have  long  exercised.  A  strategy  of  the  terrorists  is  to  propagate 
their  messages  quickly  and  repeat  them  until  they  have  saturated  cyberspace.  Internet 
messages  by  terrorist  groups  have  become  increasingly  sophisticated  through  use  of 
a  cadre  of  Internet  specialists  who  operate  computer  servers  worldwide.  Other 
observers  have  also  stated  that  al-Qaeda  now  relies  on  a  Global  Islamic  Media  Unit 
to  assist  with  its  public  outreach  efforts.44 

As  a  result  of  the  increasingly  sophisticated  use  of  networks  by  terrorist  groups 
and  the  potentially  strong  influence  of  messages  carried  by  the  global  media,  does 
DOD  now  view  the  Internet  and  the  mainstream  media  as  posing  a  vital  threat  to  its 
mission?  Will  PSYOP  be  used  to  manipulate  public  opinion,  including  domestic 
audiences,  to  reduce  opposition  to  unpopular  decisions  in  the  future? 

Role  of  the  U.S.  Private  Sector  in  Protecting  Computer 
Security 

The  National  Strategy  to  Secure  Cyberspace,45  published  February  2003,  states 
that  the  private  sector  now  has  a  crucial  role  in  protecting  national  security  because 
it  largely  runs  the  nation’s  critical  infrastructure.46  Richard  Clarke,  former  chairman 
of  the  Critical  Infrastructure  Protection  Board  (CIPB),  has  also  stated  that  the  United 
States  critical  infrastructure  is  particularly  vulnerable  to  10  attack  because  cyber 
attackers  could  possibly  use  the  millions  of  home  and  business  PCs,  that  are  poorly 
protected  against  malicious  code,  to  launch  and  support  a  series  of  debilitating 
assaults.  The  National  Strategy  urges  home  and  small  business  computer  users  to 
install  firewalls  and  antivirus  software,  and  calls  for  a  public-private  dialogue  to 
devise  ways  that  the  government  can  reduce  the  burden  of  security  on  home  users  and 
businesses. 

To  help  raise  awareness  about  national  security  vulnerabilities  to  possible  cyber 
attack  by  hackers,  or  10  attack  by  adversaries,  DOD  has  prepared  a  series  of  DVD 
and  web-based  training  products  that  provide  information  about  internal  and  external 
threats  to  information  systems.  Several  are  designed  specifically  for  users  of  federal 
computer  systems,  and  some  are  intended  for  users  who  are  not  information 


44  Jacquelyn  S.  Porth,  Terrorists  Use  Cyberspace  as  Important  Communications  Tool,  U.S. 

Department  of  State,  USInfo.State.Gov,  May  5,  2006, 

[http://usinfo.state.gov/is/Archive/2006/May/08-429418.html]. 

45  See  the  full  text  for  National  Strategy  to  Secure  Cyberspace  at  [http://www.us- 
cert.gov/reading_room/cyberspace_strategy.pdfj. 

46  The  plan  identifies  24  strategic  goals  and  gives  more  than  70  recommendations  on  how 
various  communities  can  secure  their  part  of  cyberspace.  The  communities  are  broken  down 
into  five  levels  (the  home  user,  the  large  enterprise,  critical  sectors,  the  nation,  and  the 
global  community),  [http://www.whitehouse.gov/pcipb/] 


CRS-14 


technology  professionals,  but  who  need  to  understand  the  DOD  and  civilian 
communications  infrastructure.47 

However,  some  observers  in  the  private  sector  feel  the  plan  described  in  the 
National  Strategy  to  Secure  Cyberspace  does  not  do  enough  to  ensure  that  companies 
will  adopt  sound  security  practices,  and  suggest  regulation  is  needed  to  supplement, 
or  replace  market  forces.48  For  example,  the  congressionally  appointed  Advisory 
Panel  to  Assess  Domestic  Response  Capabilities  for  Terrorism  Involving  Weapons 
of  Mass  Destruction,  chaired  by  former  Virginia  Governor  James  S.  Gilmore  HI,  has 
strongly  criticized  a  draft  of  the  plan.  In  its  fourth  volume,  the  Gilmore  Report 
indicates  that  public/private  partnerships  and  market  forces  are  not  working  to  protect 
national  security  in  cyberspace.  The  Gilmore  Report  faults  the  National  Strategy 
Plan  for  relying  too  heavily  on  persuasion  to  get  the  private  sector  to  act,  and  for  not 
holding  managers  accountable  for  improving  cybersecurity  for  the  systems  they  own 
and  operate.49 

Should  the  National  Strategy  to  Secure  Cyberspace  contain  language  that 
compels  the  private  sector  to  adopt  stronger  cybersecurity  measures  to  protect 
national  security  in  cyberspace? 


Current  Legislation 

H.R.  1869,  the  Strategic  Communication  Act  of  2005,  was  introduced  in  the 
House  on  April  27,  2005,  and  was  referred  on  the  same  day  to  the  Committee  on 
International  Relations.  The  bill  is  intended  to  improve  the  conduct  of  strategic 
communication  by  the  Federal  Government.  Section  3  of  the  Bill  requires  the 
Secretary  of  State  to  report  to  Congress  a  description  of  efforts  taken  to  coordinate 
the  components  of  strategic  communication,  including  components  related  to  public 
diplomacy,  public  affairs,  international  broadcasting,  and  military  information 
operations. 


H  DOD  Information  Assurance  Training  and  Awareness  Products, 
[http://www.securitymanagement.com/library/training_tech0902.pdf]. 

48  Brian  Krebs,  “White  House  Releases  Cybersecurity  Plan,”  Washingtonpost. com,  February 
14,  2003. 

49  Fourth  Annual  Report  to  the  Presiden  t  and  the  Congress  of  the  Advisory  Panel  to  Assess 
Domestic  Response  Capabilities  for  Terrorism  Involving  Weapons  of  Mass  Destruction  , 
p.8 1 ,  [http://www.rand.org/nsrd/terrpanel/terror4.pdf] . 


